Docker-无法托管 [英] Docker - No route to host

问题描述

当我尝试从容器内的端口连接到另一个容器时，我不成功并获得

When i try and connect to a port from within my container to another container, i am unsuccessful and get,

root@ac1590a59fe5:/opt/f5massupgrade# curl -v https://172.17.0.1:6379
* Rebuilt URL to: https://172.17.0.1:6379/
* Hostname was NOT found in DNS cache
*   Trying 172.17.0.1...
* connect to 172.17.0.1 port 6379 failed: No route to host
* Failed to connect to 172.17.0.1 port 6379: No route to host
* Closing connection 0

从Docker主机中成功，

From the docker host I am successful,

[root@docker-host ~]# curl -v https://172.17.0.1:6379/0
* About to connect() to 172.17.0.1 port 6379 (#0)
*   Trying 172.17.0.1...
* Connected to 172.17.0.1 (172.17.0.1) port 6379 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none

如果我检查 iptables 我可以看到这个问题，

If i check the iptables I can see the issue,

[root@docker-host ~]#  iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i docker0 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

所以我添加以下内容，并且一切正常，

So I add the following and it all works well,

iptables -I INPUT 4 -i docker0 -j ACCEPT

我在这里缺少什么吗？

[root@docker-host ~]# docker version
Client:
 Version:         1.9.1
 API version:     1.21
 Package version: docker-common-1.9.1-40.el7.centos.x86_64
 Go version:      go1.4.2
 Git commit:      ab77bde/1.9.1
 Built:
 OS/Arch:         linux/amd64

Server:
 Version:         1.9.1
 API version:     1.21
 Package version: docker-common-1.9.1-40.el7.centos.x86_64
 Go version:      go1.4.2
 Git commit:      ab77bde/1.9.1
 Built:
 OS/Arch:         linux/amd64

谢谢

推荐答案

我们在运行 firewalld 。防火墙阻止容器访问主机（ icmp 流量除外）。

We hit this issue on a RHEL box which was running firewalld. The firewall was preventing container to host access (other than icmp traffic).

我们需要将防火墙配置为允许从Docker容器到主机的流量。在我们的案例中，容器位于子网 172.27.0.0/16 上的桥接网络中（通过 docker network ls 确定）和 docker inspect< network-name> ）。可以通过以下方式更新 firewalld 的防火墙规则：

We needed to configure the firewall to allow traffic from the docker containers through to the host. In our case, the containers were in a bridge network on subnet 172.27.0.0/16 (determined via docker network ls and docker inspect <network-name>). Firewall rules for firewalld can be updated via:

firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=172.27.0.0/16 accept'
firewall-cmd --reload

这是一个有用的参考在解决该问题中。

This was a useful reference in resolving the issue.

这篇关于Docker-无法托管的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！